ms-swift 2.4.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the ms-swift package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Deserialization of Untrusted Data ms-swift is a Swift: Scalable lightWeight Infrastructure for Fine-Tuning Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `load_model_meta` function. An attacker can execute arbitrary code by supplying a maliciously crafted serialized `.mdl` file that is deserialized using `pickle.load` from untrusted sources. Note: This is only exploitable if a user loads a model checkpoint file that has been tampered with by an attacker, typically during a normal training process, without being aware of the malicious payload. How to fix Deserialization of Untrusted Data? Upgrade `ms-swift` to version 3.0.0 or higher.	[,3.0.0)
H Deserialization of Untrusted Data ms-swift is a Swift: Scalable lightWeight Infrastructure for Fine-Tuning Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `torch.load` function. An attacker can execute arbitrary commands by uploading a maliciously crafted adapter model file that triggers unsafe deserialization when loaded. This is only exploitable if the environment uses a torch version lower than 2.6.0 while the application accepts torch versions greater than or equal to 2.0. How to fix Deserialization of Untrusted Data? Upgrade `ms-swift` to version 3.7.0 or higher.	[,3.7.0)
M Improper Output Neutralization for Logs ms-swift is a Swift: Scalable lightWeight Infrastructure for Fine-Tuning Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via the `train` method. An attacker can execute arbitrary system commands by injecting malicious input into parameters that are concatenated into shell commands. How to fix Improper Output Neutralization for Logs? Upgrade `ms-swift` to version 3.7.0 or higher.	[,3.7.0)
L Deserialization of Untrusted Data ms-swift is a Swift: Scalable lightWeight Infrastructure for Fine-Tuning Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `yaml.load` function in `tests/run.py` when handling user-supplied YAML configuration files. An attacker can execute arbitrary code by providing a malicious YAML file to the `--run_config` argument. How to fix Deserialization of Untrusted Data? Upgrade `ms-swift` to version 3.7.0 or higher.	[,3.7.0)

Vulnerability

Vulnerable Version

Deserialization of Untrusted Data

ms-swift is a Swift: Scalable lightWeight Infrastructure for Fine-Tuning

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the load_model_meta function. An attacker can execute arbitrary code by supplying a maliciously crafted serialized .mdl file that is deserialized using pickle.load from untrusted sources.

Note:

This is only exploitable if a user loads a model checkpoint file that has been tampered with by an attacker, typically during a normal training process, without being aware of the malicious payload.

How to fix Deserialization of Untrusted Data?

Upgrade ms-swift to version 3.0.0 or higher.

[,3.0.0)

Deserialization of Untrusted Data

ms-swift is a Swift: Scalable lightWeight Infrastructure for Fine-Tuning

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the torch.load function. An attacker can execute arbitrary commands by uploading a maliciously crafted adapter model file that triggers unsafe deserialization when loaded. This is only exploitable if the environment uses a torch version lower than 2.6.0 while the application accepts torch versions greater than or equal to 2.0.

How to fix Deserialization of Untrusted Data?

Upgrade ms-swift to version 3.7.0 or higher.

[,3.7.0)

Improper Output Neutralization for Logs

ms-swift is a Swift: Scalable lightWeight Infrastructure for Fine-Tuning

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via the train method. An attacker can execute arbitrary system commands by injecting malicious input into parameters that are concatenated into shell commands.

How to fix Improper Output Neutralization for Logs?

Upgrade ms-swift to version 3.7.0 or higher.

[,3.7.0)

Deserialization of Untrusted Data

ms-swift is a Swift: Scalable lightWeight Infrastructure for Fine-Tuning

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the yaml.load function in tests/run.py when handling user-supplied YAML configuration files. An attacker can execute arbitrary code by providing a malicious YAML file to the --run_config argument.

How to fix Deserialization of Untrusted Data?

Upgrade ms-swift to version 3.7.0 or higher.

[,3.7.0)

ms-swift@2.4.0 vulnerabilities

Swift: Scalable lightWeight Infrastructure for Fine-Tuning

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically